From 6b2045f99956b2982a68a503a235832e4bf6b81f Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Fri, 6 Dec 2024 16:50:39 -0500 Subject: [PATCH] Deprecate all recently added PKCS7 functions --- crypto/pkcs7/pkcs7.c | 17 ------- crypto/pkcs7/pkcs7_x509.c | 3 ++ include/openssl/pkcs7.h | 104 ++++++++++++++++++++------------------ 3 files changed, 58 insertions(+), 66 deletions(-) diff --git a/crypto/pkcs7/pkcs7.c b/crypto/pkcs7/pkcs7.c index 5321536e7b..0b22ea6ff4 100644 --- a/crypto/pkcs7/pkcs7.c +++ b/crypto/pkcs7/pkcs7.c @@ -29,7 +29,6 @@ #include "../internal.h" #include "internal.h" -// TODO remove all other usages of OPENSSL_BEGIN_ALLOW_DEPRECATED in this file OPENSSL_BEGIN_ALLOW_DEPRECATED // 1.2.840.113549.1.7.1 @@ -815,9 +814,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) { goto err; } BIO_set_mem_eof_return(bio, /*eof_value*/ 0); - OPENSSL_BEGIN_ALLOW_DEPRECATED if (!PKCS7_is_detached(p7) && content && content->length > 0) { - OPENSSL_END_ALLOW_DEPRECATED // |bio |needs a copy of |os->data| instead of a pointer because the data // will be used after |os |has been freed if (BIO_write(bio, content->data, content->length) != content->length) { @@ -838,9 +835,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) { return NULL; } -OPENSSL_BEGIN_ALLOW_DEPRECATED int PKCS7_is_detached(PKCS7 *p7) { - OPENSSL_END_ALLOW_DEPRECATED GUARD_PTR(p7); if (PKCS7_type_is_signed(p7)) { return (p7->d.sign == NULL || p7->d.sign->contents->d.ptr == NULL); @@ -958,11 +953,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) { case NID_pkcs7_signed: si_sk = p7->d.sign->signer_info; // clang-format off -OPENSSL_BEGIN_ALLOW_DEPRECATED content = PKCS7_get_octet_string(p7->d.sign->contents); // If detached data then the content is excluded if (PKCS7_type_is_data(p7->d.sign->contents) && PKCS7_is_detached(p7)) { -OPENSSL_END_ALLOW_DEPRECATED // clang-format on ASN1_OCTET_STRING_free(content); content = NULL; @@ -973,9 +966,7 @@ OPENSSL_END_ALLOW_DEPRECATED case NID_pkcs7_digest: content = PKCS7_get_octet_string(p7->d.digest->contents); // If detached data, then the content is excluded - OPENSSL_BEGIN_ALLOW_DEPRECATED if (PKCS7_type_is_data(p7->d.digest->contents) && PKCS7_is_detached(p7)) { - OPENSSL_END_ALLOW_DEPRECATED ASN1_OCTET_STRING_free(content); content = NULL; p7->d.digest->contents->d.data = NULL; @@ -1032,9 +1023,7 @@ OPENSSL_END_ALLOW_DEPRECATED } } - OPENSSL_BEGIN_ALLOW_DEPRECATED if (!PKCS7_is_detached(p7)) { - OPENSSL_END_ALLOW_DEPRECATED if (content == NULL) { goto err; } @@ -1087,9 +1076,7 @@ int pkcs7_final(PKCS7 *p7, BIO *data) { BIO *p7bio; int ret = 0; - OPENSSL_BEGIN_ALLOW_DEPRECATED if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) { - OPENSSL_END_ALLOW_DEPRECATED OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB); goto err; } @@ -1098,9 +1085,7 @@ int pkcs7_final(PKCS7 *p7, BIO *data) { goto err; } - OPENSSL_BEGIN_ALLOW_DEPRECATED if (!PKCS7_dataFinal(p7, p7bio)) { - OPENSSL_END_ALLOW_DEPRECATED OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB); goto err; } @@ -1134,9 +1119,7 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, for (size_t i = 0; i < sk_X509_num(certs); i++) { x509 = sk_X509_value(certs, i); - OPENSSL_BEGIN_ALLOW_DEPRECATED if (!PKCS7_add_recipient(p7, x509)) { - OPENSSL_END_ALLOW_DEPRECATED OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_ERROR_ADDING_RECIPIENT); goto err; } diff --git a/crypto/pkcs7/pkcs7_x509.c b/crypto/pkcs7/pkcs7_x509.c index ce097e81a7..680f3bd67d 100644 --- a/crypto/pkcs7/pkcs7_x509.c +++ b/crypto/pkcs7/pkcs7_x509.c @@ -29,6 +29,7 @@ #include "../internal.h" #include "internal.h" +OPENSSL_BEGIN_ALLOW_DEPRECATED int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) { int ret = 0; @@ -592,3 +593,5 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) { X509_CRL_up_ref(crl); return 1; } + +OPENSSL_END_ALLOW_DEPRECATED diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h index a483f6db9e..b53ebe68e2 100644 --- a/include/openssl/pkcs7.h +++ b/include/openssl/pkcs7.h @@ -101,6 +101,36 @@ OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio); +// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If +// the length of the object is indefinite the full contents of |bio| are read. +// +// If the function fails then some unknown amount of data may have been read +// from |bio|. +OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out); + +// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on +// error. +OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7); + +// PKCS7_type_is_data returns 1 if |p7| is of type data +OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7); + +// PKCS7_type_is_digest returns 1 if |p7| is of type digest +OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7); + +// PKCS7_type_is_encrypted returns 1 if |p7| is of type encrypted +OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7); + +// PKCS7_type_is_enveloped returns 1 if |p7| is of type enveloped +OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7); + +// PKCS7_type_is_signed returns 1 if |p7| is of type signed +OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7); + +// PKCS7_type_is_signedAndEnveloped returns 1 if |p7| is of type +// signedAndEnveloped +OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); + // Deprecated functions. // @@ -261,108 +291,84 @@ DEFINE_STACK_OF(PKCS7_SIGNER_INFO) // PKCS7_dup returns a newly allocated copy of |p7| without deep-copying // internal references. -OPENSSL_EXPORT PKCS7 *PKCS7_dup(PKCS7 *p7); - -// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If -// the length of the object is indefinite the full contents of |bio| are read. -// -// If the function fails then some unknown amount of data may have been read -// from |bio|. -OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out); - -// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on -// error. -OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7); +OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *PKCS7_dup(PKCS7 *p7); // PKCS7_get_signed_attribute returns a pointer to the first signed attribute // from |si| with NID |nid| if one is present, else NULL. -OPENSSL_EXPORT ASN1_TYPE *PKCS7_get_signed_attribute( +OPENSSL_EXPORT OPENSSL_DEPRECATED ASN1_TYPE *PKCS7_get_signed_attribute( const PKCS7_SIGNER_INFO *si, int nid); // PKCS7_get_signer_info returns |p7|'s attached PKCS7_SIGNER_INFO if present // and |p7| is of a relevant type, else NULL. This function only pertains to // signedData and signedAndEnvelopedData. -OPENSSL_EXPORT STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7); +OPENSSL_EXPORT OPENSSL_DEPRECATED STACK_OF(PKCS7_SIGNER_INFO) * +PKCS7_get_signer_info(PKCS7 *p7); // PKCS7_RECIP_INFO_set attaches |x509| to |p7i| and increments |x509|'s // reference count. It returns 1 on success and 0 on failure or if |x509|'s // public key not usable for encryption. -OPENSSL_EXPORT int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_RECIP_INFO_set( + PKCS7_RECIP_INFO *p7i, X509 *x509); // PKCS7_SIGNER_INFO_set attaches the other parameters to |p7i|, returning 1 on // success and 0 on error or if specified parameters are inapplicable to // signing. Only EC, DH, and RSA |pkey|s are supported. |pkey|'s reference // count is incremented, but neither |x509|'s nor |dgst|'s is. -OPENSSL_EXPORT int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, - EVP_PKEY *pkey, const EVP_MD *dgst); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_SIGNER_INFO_set( + PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst); // PKCS7_add_certificate adds |x509| to |p7|'s certificate stack, incrementing // |x509|'s reference count. It returns 1 on success and 0 on failure or if // |p7| isn't of an applicable type: signedData and signedAndEnvelopedData. -OPENSSL_EXPORT int PKCS7_add_certificate(PKCS7 *p7, X509 *x509); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_certificate(PKCS7 *p7, + X509 *x509); // PKCS7_add_crl adds |x509| to |p7|'s CRL stack, incrementing |x509|'s // reference count. It returns 1 on success and 0 on failure or if |p7| isn't // of an applicable type: signedData and signedAndEnvelopedData. -OPENSSL_EXPORT int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509); // PKCS7_add_recipient_info adds |ri| to |p7|, returning 1 on succes or 0 if // |p7| is of an inapplicable type: envelopedData and signedAndEnvelopedData. -OPENSSL_EXPORT int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_recipient_info( + PKCS7 *p7, PKCS7_RECIP_INFO *ri); // PKCS7_add_signer adds |p7i| to |p7|, returning 1 on succes or 0 if // |p7| is of an inapplicable type: signedData and signedAndEnvelopedData. -OPENSSL_EXPORT int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_signer(PKCS7 *p7, + PKCS7_SIGNER_INFO *p7i); // PKCS7_content_new allocates a new PKCS7 and adds it to |p7| as content. It // returns 1 on success and 0 on failure. -OPENSSL_EXPORT int PKCS7_content_new(PKCS7 *p7, int nid); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_content_new(PKCS7 *p7, int nid); // PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of // |p7|. It frees any existing content on |p7|, returning 1 on success and 0 on // failure. -OPENSSL_EXPORT int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_content(PKCS7 *p7, + PKCS7 *p7_data); // PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of // |p7|: signedData and digestData. |p7_data| may be NULL. It frees any // existing content on |p7|, returning 1 on success and 0 on failure. -OPENSSL_EXPORT int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_cipher( + PKCS7 *p7, const EVP_CIPHER *cipher); // PKCS7_set_type instantiates |p7| as type |type|. It returns 1 on success and // 0 on failure or if |type| is not a valid PKCS7 content type. -OPENSSL_EXPORT int PKCS7_set_type(PKCS7 *p7, int type); +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_type(PKCS7 *p7, int type); // PKCS7_RECIP_INFO_get0_alg sets |*penc| to |ri|'s key encryption algorithm, // if present. Ownership of |*penc| is retained by |ri|. -OPENSSL_EXPORT void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, - X509_ALGOR **penc); +OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_RECIP_INFO_get0_alg( + PKCS7_RECIP_INFO *ri, X509_ALGOR **penc); // PKCS7_SIGNER_INFO_get0_algs sets all of, if present: |*pk| to |si|'s key, // |*pdig| to |si|'s digest angorithm, and |*psig| to |si|'s signature // algorithm. Ownership of |*pk|, |*pdig|, and |*psig) is retained by |si|. -OPENSSL_EXPORT void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, - EVP_PKEY **pk, - X509_ALGOR **pdig, - X509_ALGOR **psig); +OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_SIGNER_INFO_get0_algs( + PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, X509_ALGOR **pdig, X509_ALGOR **psig); -// PKCS7_type_is_data returns 1 if |p7| is of type data -OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7); - -// PKCS7_type_is_digest returns 1 if |p7| is of type digest -OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7); - -// PKCS7_type_is_encrypted returns 1 if |p7| is of type encrypted -OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7); - -// PKCS7_type_is_enveloped returns 1 if |p7| is of type enveloped -OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7); - -// PKCS7_type_is_signed returns 1 if |p7| is of type signed -OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7); - -// PKCS7_type_is_signedAndEnveloped returns 1 if |p7| is of type -// signedAndEnveloped -OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); // Deprecated flags //